Are you at IAPP – International Association of Privacy Professionals P.S.R. #PSR18 in Austin? If so, please come to our Thursday 10:30 – 11:30 session on Vendor Risk Management: Maintaining Relationships While Limiting Liability in Lone Star Ballroom A, Level 3. It should be great as I get to be with great panelists Tami Dokken and Melissa Krasnow and we will have Mark Smith as our moderator.
While you’re there pick up your copy of Bloomberg BNA’s Domestic Privacy Profile: Texas!
Cybersecurity is a team sport and many people within a business must work together to help effectively manage their businesses’ cyber risk. In-house counsel plays a critical role in this process. A recent Law360 article (subscription required) identified the following key things they can do:
Develop, implement, and table-top test an incident response plan
Today is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.
What is Data Privacy Day?
Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,
DATA PRIVACY DAY IS AN INTERNATIONAL EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY AND CONTROL THEIR DIGITAL FOOTPRINT.
DATA PRIVACY DAY BEGAN IN THE UNITED STATES AND CANADA IN JANUARY 2008 AS AN EXTENSION OF THE DATA PROTECTION DAY CELEBRATION IN EUROPE. DATA PROTECTION DAY COMMEMORATES THE JANUARY 28, 1981, SIGNING OF CONVENTION 108, THE FIRST LEGALLY BINDING INTERNATIONAL TREATY DEALING WITH PRIVACY AND DATA PROTECTION. DATA PRIVACY DAY IS NOW A CELEBRATION FOR EVERYONE, OBSERVED ANNUALLY ON JANUARY 28.
DATA FLOWS FREELY IN TODAY’S ONLINE WORLD. EVERYONE – FROM HOME COMPUTER USERS TO MULTINATIONAL CORPORATIONS – NEEDS TO BE AWARE OF THE PERSONAL DATA OTHERS HAVE ENTRUSTED TO THEM AND REMAIN VIGILANT AND PROACTIVE ABOUT PROTECTING IT. BEING A GOOD ONLINE CITIZEN MEANS PRACTICING CONSCIENTIOUS DATA STEWARDSHIP. DATA PRIVACY DAY IS AN EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY, CONTROL THEIR DIGITAL FOOTPRINT, AND MAKE THE PROTECTION OF PRIVACY AND DATA A GREAT PRIORITY IN THEIR LIVES.
14 Tips For Keeping Your Company’s Data Secure
In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:
Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.
The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.
When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis
A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.
If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.
The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:
the nature of your company’s culture, both internally and externally
the nature of your company’s customers
the nature of your company’s products or services
the nature of your company’s operations and management structure
the type, volume, and sensitivity of the data your company collects and retains
the security measures your company has in place
the resources your company has to devote to data security issues
the security standards of your company’s particular industry
Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
CLICK HERE if you are impatient and only want to know what you should do ASAP to protect against Spectre and Meltdown
With Y2K we had a warning. So much of a warning that it pushed me into cyber law in 1998. We were told of an apocalypse if we did not heed the warning and fix the problem. Whether we did, or whether it was a lot of hype is still being debated, but the problem was averted. When the ball dropped on NYE 2000, the planes were still flying, power grid still operating, and banks still banking.
Fast forward eighteen years, NYE 2018, the ball drops and, while we are closing out a year when the word cybersecurity (yes, it is one word, not two) has become a part of everybody’s vernacular, the only thing we were thinking of when hearing the words “Spectre” and “Meltdown” was a James Bond movie marathon on New Year’s Day.
Now unlike with Y2K, the problem in and of itself will not directly cause a failure but is a vulnerability that has been exposed that will allow others — the bad guys (whoever they may be) — to exploit the vulnerability. But take no comfort in this because you can bet, to the bad guys, the revelation of this vulnerability made this exploit Target of Opportunity #1 for all.
The fix? This where it gets good. “Meltdown” can likely be mitigated with software patches, which programmers at major companies are fervently writing as I write. The problem is, these patches will lead to a degradation of computer performance by 20% to 30% — but they are not optional. You must install them.
“Spectre” is where it could get really nasty. This will likely require a redesign of the computer processors themselves — a wholesale hardware redesign that focuses more on security vis-a-vis performance. Then, in order to implement the fix, the hardware will have to be replaced — the CPUs in all of the world’s computers upgraded.
Sounds pretty bad, doesn’t it? Is this the real Y2K apocalypse arriving eighteen years late — Y2K18 or Y2K8teen? It could be.
However, remember, “Wanna Cry” was only one exploit to a specific outdated Windows operating system that was revealed and had a patch issued for months before it actually hit. We all had better take this one seriously.
What can you do? When the patches come out from Microsoft, Apple, etc. and they tell you to install the patch to protect your computer, do it, immediately, and with a smile because losing 20% to 30% of your computing power is far better than losing 100%!
In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.
As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.
My practice has been divided into three distinct areas over the last several years:
Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
Reactively, by leading companies through the cyber incident response and data breach response process (e.g., as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.
For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.
This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.
But in the last quarter of 2017, this has changed.
The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.
What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.
I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.